kubernetes/manifests/apps/kube-system/cilium.yaml

---
helm:
  repo: https://helm.cilium.io/
  chart: cilium
  version: 1.16.3

dependsOn:
  - name: cert-manager-cert-manager
  - name: observability-grafana-agent-cluster
values:
  prometheus:
    enabled: true
    serviceMonitor:
      enabled: true
  cluster:
    name: vilya
    id: 1
  bpf:
    masquerade: true
  rollOutCiliumPods: true
  localRedirectPolicy: true
  kubeProxyReplacement: true
  routingMode: native
  kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
  ipv4NativeRoutingCIDR: 10.244.0.0/16
  ipam:
    mode: kubernetes
  securityContext:
    capabilities:
      ciliumAgent:
        - CHOWN
        - KILL
        - NET_ADMIN
        - NET_RAW
        - IPC_LOCK
        - SYS_ADMIN
        - SYS_RESOURCE
        - DAC_OVERRIDE
        - FOWNER
        - SETGID
        - SETUID
      cleanCiliumState:
        - NET_ADMIN
        - SYS_ADMIN
        - SYS_RESOURCE
  cgroup:
    autoMount:
      enabled: false
    hostRoot: /sys/fs/cgroup
  k8sServiceHost: 192.168.100.100
  k8sServicePort: 6443
  loadBalancer:
    algorithm: maglev
    mode: dsr
  endpointRoutes:
    enabled: true
  autoDirectNodeRoutes: true
  ipv6:
    enabled: false
  operator:
    rollOutPods: true
    dashboards:
      enabled: true
      annotations:
        grafana_folder: Cilium
    prometheus:
      enabled: true
      serviceMonitor:
        enabled: true
  containerRuntime:
    integration: containerd
  hubble:
    enabled: true
    metrics:
      enabled:
        - dns:query
        - drop
        - flow
        - http
        - icmp
        - port-distribution
        - tcp
      serviceMonitor:
        enabled: true
    relay:
      enabled: true
      rollOutPods: true
      prometheus:
        serviceMonitor:
          enabled: true
    ui:
      enabled: true
      rollOutPods: true
      ingress:
        enabled: true
        annotations:
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          cert-manager.io/cluster-issuer: letsencrypt-production
        hosts:
          - hubble.${SECRET_DOMAIN}
        tls:
          - secretName: hubble-tls
            hosts:
              - hubble.${SECRET_DOMAIN}
  bgpControlPlane:
    enabled: true

resources:
  - apiVersion: cilium.io/v2alpha1
    kind: CiliumBGPClusterConfig
    metadata:
      name: bgp-cluster-config
    spec:
      nodeSelector:
        matchLabels:
          kubernetes.io/os: "linux"
      bgpInstances:
        - name: main-instance
          localASN: 64513
          peers:
            - name: main-peer
              peerASN: 64512
              peerAddress: ${NETWORK_BGP_PEER}
              peerConfigRef:
                name: main-peer-config

  - apiVersion: cilium.io/v2alpha1
    kind: CiliumBGPPeerConfig
    metadata:
      name: main-peer-config
    spec:
      families:
        - afi: ipv4
          safi: unicast
          advertisements:
            matchLabels:
              advertise: bgp
      gracefulRestart:
        enabled: true
        restartTimeSeconds: 120

  - apiVersion: cilium.io/v2alpha1
    kind: CiliumBGPAdvertisement
    metadata:
      name: service-advertisements
      labels:
        advertise: bgp
    spec:
      advertisements:
        - advertisementType: "Service"
          service:
            addresses:
              - ExternalIP
              - LoadBalancerIP
          selector:
            matchExpressions:
              - key: somekey
                operator: NotIn
                values: ["announce-all-services"]

  - apiVersion: cilium.io/v2alpha1
    kind: CiliumLoadBalancerIPPool
    metadata:
      name: blue-pool
    spec:
      blocks:
        - cidr: 192.168.2.0/24